Tags: re wat

Rating: 0

Binary is interpreting input string as a sequence of 15 two digit decimal numbers. Variable X is set to 0, after that each number determines next operation to be done with X. For example, operation 01 makes X += 0x58335249. After 15 operations abs(X) should be 0x6F2E255A.

If we look closely to numbers used in operations, we'll see that they are in fact ASCII codes. In said operation 01 0x58335249 is ASCII string X3RI, which is actually a Base64 encoded string _tH. All strings are ['0ys', '3_B', '3_y', '4rD', 'A_b', 'R1n', '_ID', '_Th', '_t0', '_tH', 'a11', 'gS_', 'sun', '{mY', '}']. We definitely see the word sun and curly braces, so it seems that we need to arrange these parts properly to get the flag.

Brute-forcing order of operations is hard. What if we can arrange parts directly, just by meaning? This it exactly what we've done. After a bit of trying different approaches we came to this simple function that just tries to add each part to prefix:
 python
def try_all(prefix):
parts = ['0ys', '3_B', '3_y', '4rD', 'A_b', 'R1n', '_ID', '_Th', '_t0', '_tH', 'a11', 'gS_', 'sun', '{mY', '}']
for part in parts:
if part not in prefix:
print(prefix + part)

Example output:

>>> try_all('sun{mY_ID')
sun{mY_ID0ys
sun{mY_ID3_B
sun{mY_ID3_y
sun{mY_ID4rD
sun{mY_IDA_b
sun{mY_IDR1n
sun{mY_ID_Th
sun{mY_ID_t0
sun{mY_ID_tH
sun{mY_IDa11
sun{mY_IDgS_
sun{mY_ID}


Using this approach we got flag from parts in a minute, sun{mY_IDA_bR1ngS_a11_Th3_B0ys_t0_tH3_y4rD} (or sun{mY_IDA_bR1ngS_a11_tH3_B0ys_t0_Th3_y4rD}, I don't really remember).